chore(go): bump indirect deps#650
Conversation
➖ Are we earthbuild yet?No change in "earthly" occurrences 📈 Overall Progress
Keep up the great work migrating from Earthly to Earthbuild! 🚀 💡 Tips for finding more occurrencesRun locally to see detailed breakdown: ./.github/scripts/count-earthly.shNote that the goal is not to reach 0. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
There was a problem hiding this comment.
Code Review
This pull request updates numerous Go dependencies in go.mod and go.sum. Key updates include upgrading github.com/docker/docker to v28.0.4, github.com/opencontainers/runtime-spec to v1.3.0, and various containerd, moby, and prometheus libraries to newer versions. As there are no review comments provided, I have no feedback to offer on this pull request.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Bumps multiple indirect Go dependencies in
go.mod/go.sumto newer versions, addressing 6 known vulnerabilities and successfully removinggithub.com/opencontainers/runcfrom the dependency graph.Resolved Vulnerabilities (govulncheck)
github.com/opencontainers/runc(Removed fromgo.mod):CVE-2024-21626(Critical): Container escape and DDoS due to arbitrary write gadgets and procfs write redirects inrunc<=v1.1.9.runc cp.github.com/docker/docker(Upgraded tov28.0.4+incompatible):firewalldreload would remove bridge network isolation. (Fixed inv25.0.13+incompatible).github.com/in-toto/in-toto-golang(Upgraded tov0.11.0):^instead of!) compared toin-toto-pythonwhich could allow layouts to bypass validation checks depending on the toolchain used.golang.org/x/sys(Upgraded tov0.46.0in examples):NewNTUnicodeStringaffecting Windows platforms. (Fixed inv0.44.0).The buildkit upgrade blocks fixing the remaining vulnerabilities.